Senate Republicans and Democrats in the House and Senate recently introduced competing bills aimed at privacy considerations believed to be presented by the Coronavirus (“COVID-19”) pandemic. The bills seek to prevent the collection, use and/or disclosure of consumer’s personal information for COVID-19 response efforts without the individual’s consent to the collection, use and/or disclosure.
The Republican bill was introduced on May 7, 2020 by Senate Commerce Committee Chairman Roger Wicker (R-MS). The COVID-19 Consumer Data Protection Act of 2020 (“CCDPA”) was co-sponsored by Senators John Thune (R-SD), Debra Fischer (R-NE), Jerry Moran (R-KS) and Marsha Blackburn (R-TN). The bill was referred to the Senate Committee on Commerce, Science, and Transportation.
On May 14, 2020, House and Senate Democrats—including Representatives Suzan DelBene (D-WA), Anna Eshoo (D-CA) and Jan Schakowsky (D-IL), and Senators Richard Blumenthal (D-CT) and Mark Warner (D-VA)—introduced a competing bill, the Public Health Emergency Privacy Act (“PHEPA”). Senators Michael Bennet (D-CO), Elizabeth Warren (D-MA), Richard Durbin (D-IL), Edward Markey (D-MA), Tammy Baldwin (D-WI), Kamala Harris (D-CA), Mazie Hirono (D-HI) and Amy Klobuchar (D-MN) also joined as co-sponsors. The bill was referred to the Senate Committee on Health, Education, Labor and Pensions.
Requirements in both bills are analogous to the California Consumer Protection Act of 2018 (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”) but unlike the CCPA and the GDPR, the bills are limited to the span of the COVID-19 pandemic. The bills’ drafters are likely aiming to make it simple for businesses that are already preparing to be CCPA compliant by the July 1, 2020 enforcement date or already comply with the GDPR.
Below are some key similarities and differences between the competing bills.
- Businesses are required to obtain an individual’s affirmative consent before collecting and using COVID-19 information and individuals must be permitted to revoke such consent at any time.
- Data security measures must be in place in order to protect confidentiality of the COVID-19-related information that businesses collect and maintain.
- The requirements do not apply to service providers. Service providers are entities that process COVID-19 information on behalf of a business collecting information.
- The bills have a carve-out for health care providers and personal health information as defined and covered by HIPAA, as well as for public health authorities. None of these parties are required to comply with either bill as HIPAA already provides a layer of protection for personal health information.
- Both PHEPA and CCDPA require covered organizations or businesses to issue periodic public reports explaining what information was collected and the purposes for which the information was used.
- The Federal Trade Commission (“FTC”) is given the power to enforce the bills and to treat any and all violations as a breach of Section 5 of the FTC Act, which is the section that pertains to unfair or deceptive trade acts or practices.
- Both bills limit the applicability of the bills to the duration of the COVID-19 public health emergency.
- State attorneys are given power to bring suit on behalf of their state’s residents against a company in violation.
- Covered Data
- PHEPA aims to protect data that is “still linked or reasonably linkable to an individual or device…that concerns the public COVID-19 health emergency.”
- CCDPA defines “covered data” as geolocation data, proximity data (an individual’s proximity to another individual’s location), a persistent identifier, and personal health information (broadly defined to include any physical or mental health status or disability, not just COVID-19-related status. Aggregated data, business contact information, de-identified data, employee screening data, and publicly available information are all excluded from this definition.
- Consent for collection– Both PHEPA and CCDPA require consent from the individuals for collection of COVID-19-related information but have different requirements for when consent is needed.
- PHEPA requires affirmative consent for any collection, use, and or disclosure of COVID-19 information.
- CCDPA requires consent during the collection, processing, or transfer of COVID-19 information for a “covered purpose” defined as “tracking the spread, signs, or symptoms of COVID-19…measuring compliance with social distancing guidelines or conducting contact tracing for COVID-19 cases.”
- PHEPA applies to any organization that collects, uses, and/or discloses electronic COVID-19 information and any developer or operator of any website or app that is intended to track, screen, monitor, contract trace, mitigate, or respond to the COVID-19 national emergency. PHEPA is not limited to private entities.
- CCDPA applies to businesses that are subject to the jurisdiction of the FTC, as well as common carriers or non-profit organizations.
- COVID-19 entry-screening procedures
- CCDPA does cover information collected during entry screening such as temperature checks or questionnaires. This information is called “employee screening data” and is defined as “COVID-19 information of a business’ employees, owners, officers, vendors, visitors, contractors, volunteers, and interns so long as the business only uses the information for the purposes of determining whether the individual is permitted to enter a physical site of operation.
- PHEPA aims to protect all information that is reasonably related to COVID-19.
- Voting rights
- PHEPA expressly prohibits COVID-19-related information from being used for any purpose that would restrict or interfere with an individual’s right to vote.
- CCDPA is silent on this matter.
- PHEPA cannot be interpreted to preempt or supersede any state law or regulation.
- CCDPA expressly prohibits states from adopting or enforcing conflicting laws.
- Private right of action
- PHEPA creates a private right of action, allowing individuals to bring civil actions and seek monetary penalties of $100 to $1,000 per negligent violation, and $500 to $5,000 per reckless or willful violation, as well as attorney fees and litigation costs.
- CCDPA is silent on this matter.
Both proposals address the growing issue of data privacy concerns specific to the COVID-19 national emergency. Importantly, both PHEPA and CCDPA provide explicit consent requirements and opt-out of collection options for those who are subject to data collection. PHEPA is broader in scope as it includes private and public entities. CCDPA exempts public entities and data collected pursuant to an employer-employee relationship. Both bills exclude public health authorities, which are free to collect the information described in the bill as is necessary and reasonable to protect the public. It is telling that the CCDPA is silent regarding utilizing COVID-19 information in relation to voting rights, a sign, when viewed alongside the CCDPA’s express prohibition of preemption that indicate the bill may be intended to infringe on states’ rights in the realm of data privacy. Regardless, the bills seem to have similar overarching goals in relation to protecting COVID-19-related information. The question remains whether either bill will gain bipartisan support, as a cross-party solution could help to shape the federal data privacy landscape during the pandemic and beyond.